SAFSAF
Reputation: 405
How to protect api plateform operations with privileges
I have an api plateform project (symfony) that contain an entity User with column Roles(array), I have 3 ROLES: ROLE_USER, ROLE_COMMERCIAL, ROLE_ADMIN, I am protecting my operations likes this:
"get"={
"access_control"="is_granted('ROLE_ADMIN')",
"security_post_denormalize_message"="Sorry, Only admins can View Users List"
}
But What I would to achieve is to give each user privileges like for example a user can view users list but cannot edit it , I want to edit the privileges for each user later that's why I don't want to use the role column. I think of this tables structure :
- User(id,user_name,role_id)
- Role(role_id,role_name)
- Privilege(id,priv_name, role_id)
Upvotes: 0
Views: 58
Answers (1)
bja34
Reputation: 11
you checkout voters (https://symfony.com/doc/master/security/voters.html) . It won't be exactly like you wanted , but it's the easiest way to give privileges, in your case to allow a user to view a list but not to edit it.
Upvotes: 1
Related Questions
- API Platform disable read
- How to make a single endpoint operation public in API Platform?
- API Plateform custom get operation
- Allow post method only when user is not connected in API Platform
- Restricting update on API endpoint for unauthorized users
- symfony4 UserProviderInterface implementation with api calls authentification
- api-platform : how secure custom operation
- How do I secure a Symfony2 REST API
- Protecting specific request types, restful API, Laravel
- How to Secure an SOA style Symfony2 Application